2014-06-18 11:57 GMT+04:00 Konstantin Kolinko <knst.koli...@gmail.com>: >> >> HTTP/1.1 302 Found >> Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, >> 01-Jan-1970 00:00:10 GMT >> Pragma: No-cache >> Cache-Control: no-cache >> Expires: Thu, 01 Jan 1970 00:00:00 UTC >> Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; >> Secure; HttpOnly >> Location: https://X.Y.A.B/admin/login.jsp >> Content-Length: 0 >> Date: Tue, 17 Jun 2014 16:21:17 GMT >> Server: XYZ >> > > With that value of "Expires" the cookie is actually being cleared, not set. >
The 'Secure' flag says that the browser should never send the cookie to the server over a non-secure connection. When the cookie is being cleared, the "Secure" flag is irrelevant, as the cookie will not be sent back by the browser. The "HttpOnly" flag says that the cookie should not be accessible from Javascript code running in the browser. If the cookie is being deleted, is there a way to access it from Javascript? I think that there is no such way. So is there any issue here with those flags? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org